We have developed the Big Team Challenge platform from the ground up and take the security and protection of the data we store and process seriously.
In an effort to be clear and open about our platform and security, this page details some important information for our customers.
If you have any unanswered questions regarding data privacy, please email [email protected] and we'll get back to you. If you need to report a security incident you can instead email [email protected].
Hosting and Storage
We use cloud hosting to host the Big Team Challenge application and database servers:
UpCloud is currently our primary hosting company where we host exclusively in their London (UK-LON1) region data centre - ISO 27001 certified and powered by 100% renewable energy. We use Ubuntu LTS virtual servers with secure authentication and automatic unattended security updates as standard. For more information on UpCloud and their network see https://upcloud.com/data-centres.
Cloud Above are currently our secondary hosting company and are based in the UK. Their servers are located in UK data centres with ISO 27001 and 9001 certification.
We use Google Cloud for database and file backup storage, both in their europe-west2 (London) data centre.
Amazon Web Services is our tertiary (fallback) hosting company with UK and EU region hosting.
Finally our marketing website is hosted with Webflow, separately to our web app.
Technology
The Big Team Challenge platform is a bespoke and proprietary web app and mobile app, developed for web, iOS and Android in PHP, Objective-C/Swift and Java respectively.
Our experienced developers build and maintain our web and mobile apps, following industry standard practices and techniques. We use a number of third party and open-source libraries within our web and mobile apps and are kept up to date with any major vulnerabilities or security patches as appropriate.
Our web and mobile apps employ a number of security features including CSRF protection, sanitisation, throttling, logging, validation, hashing and encryption.
User passwords are never saved or communicated as plain-text or hashed using an outdated, vulnerable algorithm. We use secure one-way Bcrypt hashing as standard. Other sensitive information that is stored on file or database may be AES encrypted and decrypted as required "on-the-fly" using mcrypt with a private encryption key.
All HTTP requests for our web app and API are encrypted in transit over mandatory SSL/HTTPS connections (TLS 1.2 or 1.3). We do not currently encrypt all data at rest on our servers.
Our multi-tenant architecture uses separate MySQL tenant databases, increasing security and allowing us to safely delete or restore data for a specific customer.
We use Cloudflare for DNS, employing standard and custom WAF rules and DDOS protection against common attacks and malicious traffic.
Data Retention
Our standard retention period for all data is 2 years after the last challenge date or distance entry. There are exceptions for financial and invoicing data, however all participant data can be deleted on request within the 2 year period.
When participants are deleted, their data is also automatically deleted from Intercom, our support and live chat inbox.
Finally, our off-site data backups are automatically deleted after 21 days via Google Cloud.
Sub Processors
We have Data Processor Agreements / Addendums with all of our sub-processors. For data transfers outside the UK / EU, we rely on SCC as part of those agreements.
Organiser (non participant) data only:
Accounting Software: Freeagent (freeagent.com) - UK.
Internal Communication: JIRA / Atlassian, Inc. (atlassian.com) - Various: Ireland (primary), Singapore, Sydney, Frankfurt, USA.
Internal Communication: Twist / Doist Inc. (twistapp.com) - USA.
Internal Communication: Microsoft Teams / Microsoft Corporation (teams.microsoft.com) - EU data centre, USA entity.
Payments: Stripe (stripe.com) - Various including USA, entity country.
Website Contact Form Processing: Zapier (zapier.com) - USA.
Website Spam Filtering: Akismet / Automattic Inc (akismet.com) - USA.
Organiser and participant data:
Data Storage, Hosting + Backups: UpCloud (upcloud.com) - UK data centre, EU entity.
Data Storage, Backups + Analytics: Google Cloud / Google Analytics (google.com) - UK data centre, USA entity.
Data Storage, Hosting, Backups, Email Inbox + Server Management: Cloud Above / SW Broadband (cloudabove.com) - UK.
Data Storage, Hosting, Backups + Email Delivery: Amazon Web Services (aws.amazon.com) - UK and EU data centres, USA entity.
Optional Mobile Debug Logging: ShipBook (shipbook.io) - EU.
Email Delivery: Postmark (postmarkapp.com) - USA.
Email Support / Chat: Crisp IM SAS (crisp.chat) - EU (not currently used)
Email Support prior to 15th April 2024: Intercom (intercom.com) - Various: Ireland and USA, USA entity.
Email Support / Chat: Intercom R&D Unlimited Company(intercom.com) - EU
Error Handling: Sentry (sentry.io) - USA.
Security + Firewall: Cloudflare (cloudflare.com) - Various including USA, entity country.
Internal company data:
Password Management: 1Password / AgileBits, Inc. (1password.eu) - EU data centre, USA entity.
We notify data controllers of any change to our list of sub processors. In the case of objection, unfortunately we may no longer be able to provide the Service without the engagement of the new Sub-Processor.
Emails
Our app messages come from two email addresses:
[email protected] (for transactional - i.e. email verifications, password resets, team invites, etc). Delivered via Postmark - IP addresses at https://postmarkapp.com/support/article/800-ips-for-firewalls
[email protected] (for broadcasting - i.e. any challenge updates you send through the admin). Delivered via Amazon Web Services - IP addresses at https://aws.amazon.com/blogs/messaging-and-targeting/amazon-ses-ip-addresses/
We also use Intercom for all email support and communication. We accept emails at [email protected] and emails should come from the bigteamchallenge.com or big-team-challenge.intercom-mail.eu domains.
Confidentiality
Our privacy policy details how we use and process data, where we act as either a data controller or data processor. It also lists our sub-processors, with whom we have a DPA (with SCC where applicable), a required business case for and limited scope of data for sub-processing.
The operation and support of Big Team Challenge requires specific Team Challenge Apps Ltd employees and subcontractors to have access to personal data through internal systems or server and database access. We have strict controls and logging in place on any personal data access, including two factor authentication and key based access. Appropriate policies and agreements are in place with all employees and subcontractors.
Availability
We appreciate the trust that our customers put in our platform and we are committed to providing a high level of availability. Our average 12 month availability for 2021 was 99.99%, with 9 out of 12 months having 100%. Any scheduled maintenance or unexpected incidents are reported and updated on our dedicated status page, hosted with industry leader Atlassian - bigteamchallengestatus.com.
Our disaster recovery plan is currently under review to improve our redundancy, including failover to a secondary data centre and hosting company in the event of a major outage.
Our databases have point-in-time recovery and are also backed up offsite twice daily and retained for 21 days. User uploads and files are backed up daily.
Security Incident Response
We have a named security officer and platform specific technical staff who will promptly review and take necessary actions in the event of a security breach or reported incident. We will report any unauthorised access or data breach to the ICO and affected customers without undue delay and within 72 hours.
Enterprise Use
Big Team Challenge is designed and developed with security and privacy in mind, and we are transparent about our practices and technology.
Given the limited scope of data processing and size of our company however, we are unable to participate in individual audits or complete detailed questionnaires such as those typically required of enterprise level applications. While we are constantly reviewing our security policies and processes, we regrettably may not have all requested audit evidence or certification to share.